In today’s digital age, the majority of data is stored electronically in internet-based cloud software. Whether for convenience or accessibility, or due to physical hardware storage limitations, using a cloud to store data has become a norm for businesses, organizations, and individuals alike. And while cloud systems offer security measures that physical storage systems cannot, they also come with their own set of risks and security threats.

Moreover, the size and even financial power of an organization doesn’t necessarily equate to better and more secure methods of privacy protection for data stored in its cloud. Recent data breaches at large data centers like Experian, Facebook, and Target have proven that the proper protection of private and otherwise sensitive information is paramount, especially when stored electronically.

For healthcare providers, professionals, and clearinghouses (hereto referred as covered entities), HIPAA has specific regulations for safeguarding Protected Health Information (PHI), especially when it comes to the disposal of such sensitive and private data.

HIPAA Regulations & Best Practices for Data Disposal

If you’re a covered entity and need to dispose of data containing PHI, you cannot simply abandon the PHI data or dispose of it using a public container like a dumpster that can be accessed by unauthorized personnel. The only time this is appropriate is if the PHI has already been rendered unreadable, indecipherable and otherwise cannot be reconstructed. In order to fully destroy this data, certain steps must be followed.

This Rule holds especially true with the disposal of PHI and requires the covered entity to not only destroy the electronic PHI (ePHI) and the hardware or electronic media it is stored on, but to first properly dispose of the ePHI data on the media before that media is made ready for reuse.

In addition, the HIPAA Security Rule also requires the covered entity to set policies and procedures for the disposal of ePHI. As part of this mandatory safeguard process, covered entities must also train their workforce members on the proper disposal policies and procedures erected and enforce these policies. See 45 CFR 164.310(d)(2)(i).

It is up to the covered entity to determine a method of data destruction and disposal, by assessing their own potential risks to patient privacy as well as the form, type, and amount of PHI collected and stored. For instance, PHI such as name, social security number, driver’s license number, diagnosis, or treatment information are examples of sensitive information that may necessitate more care with regard to disposal. HIPAA does not require one method of data destruction and disposal over another, so long as the Security and Privacy Rules are followed.

Degaussing is a method of data disposal that completely erases the drive, rendering it unusable

In the case of ePHI, whether on hardware or in an internet cloud system, proper HIPAA disposal methods include overwriting non-sensitive information with software or hardware to clear the data, degaussing the media and rendering the magnetic field permanently unusable, or destroying the media by shredding, melting, pulverization, disintegration, or incineration. You may also opt to maintain a secure area for PHI disposal and/or you are permitted to work with a disposal vendor like SEM to destroy the PHI on your organization’s behalf (so long as there is a written agreement or contract authorized by both parties). There are no set HIPAA rules for how employees or workforce members dispose of PHI; if you have off-site employees who use PHI or ePHI, you can require that they return all PHI to your organization for proper disposal.

Failure to adhere to the HIPAA Security and Privacy Rules could result in unlawful release of PHI, and consequently, the potential for identity theft, employment discrimination or even harm to the individual’s reputation.Moreover, the covered entity can face serious penalties for noncompliance.

Penalties for Noncompliance

In tandem with the Department of Justice, the Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) are responsible for the administration and enforcement of the HIPAA Security and Privacy Rules for the disposal of PHI.

Failure to comply with the HIPAA Security and Privacy Rules can result in an investigation and audit, and in some circumstances civil and criminal penalties. Factors such as violation date, whether the covered entity was aware of the failure to comply, or whether the failure to comply by the covered entity was willful neglect will determine the end consequence of the violation to either the Privacy or Security Rule.

If found guilty or in violation of either Rule, civil money penalties of $100 up to $50,000 per violation (and not exceeding $1,500,000 per calendar year for multiple violations) can be imposed. A civil penalty may not be imposed under certain circumstances, such as: the failure to comply was not due to willful neglect and was corrected during a 30-day period from the date in which the violation occurred; if the Department of Justice has imposed a criminal penalty; or, if the OCR chooses to reduce the penalty due to reasonable cause in the covered entity’s failure to comply, in that the penalty would be excessive given the nature and extent of the noncompliance.

In addition, criminal prosecution, in the form of a fine of $50,000 and up to one year of imprisonment, can be mandated for a person who knowingly obtains or discloses PHI and ePHI, which can occur as a result of improper disposal of the PHI. The criminal penalty increases to $100,000 and up to five years of imprisonment if the violation involves false pretenses, and to $250,000 and up to 10 years of imprisonment if the wrongful act involves the intent to sell, transfer or use the PHI for commercial advantage, personal gain, or malicious harm.

One last note: the HIPAA Privacy Rule does not include requirements for the length of time medical data like PHI should be retained before disposal. Instead, check with your state’s laws for medical record retention rules before disposing of any data.

In the age of sophisticated cyberattacks and data breaches, digital security continues to be a primary concern for government organizations and businesses of every industry. To be effective, today’s security procedures must treat internal threats with the same level of importance as external threats. While it may not be the first thing that comes to mind, a key element of your overall digital security strategy is your plan for what you do with information when it’s no longer needed. Hard drive data destruction is a general term for the process of clearing all sensitive information from your computer hard drives and solid state drives (SSDs), and it’s an essential step for protecting your organization, your customers, and your employees.

There are three methods of hard drive data destruction: erasing (sanitizing), crushing, and destroying. Here’s a look at each option.

Sanitization of the Hard Drive (Erasing): Degaussing

Degaussing is a very effective method of erasing data on magnetic media (hard drives and or data tapes). If you are trying to erase unclassified or sensitive data, a commercial degausser such as the SEM Model EMP-1000 is a perfect solution. The SEM EMP-1000 is the most powerful commercially sold degausser in the marketplace today. With the strength in power at 16,000 gauss (1.6 Tesla), it erases the highest coercivity magnetic media available today without the use of adapters.

However, if you are erasing classified or highly sensitive magnetic media, the NSA listed SEM EMP-1000HS would be the correct choice for your organization. The EMP-1000HS is a 20,000 gauss (2.0 Tesla) machine that has been evaluated by the National Security Agency for use on classified media.

Considerations: when choosing to sanitize hard drives, be sure to choose a company such as SEM that offers both NSA approved and commercial (PII/CUI) type degaussers. Regardless of the sanitization level required, don’t take the easy path of simply reformatting the drive or removing the directory. These methods simply make the data on the hard drive harder to find. The hard drive should be completely erased (sanitized), which the SEM EMP-1000 series can assure your organization on every single degauss cycle.

Crushing the Hard Drive

A hard drive is decommissioned with a SEM Model 0101 hard drive crusher, which is used to permanently destroy the units according to the approved destruction method at Malmstrom’s client systems center. In order to prevent unwanted review of old files and documents, physical storage mediums are degaussed and physically broken before being recycled. (U.S. Air Force photo/Airman 1st Class Collin Schmidt)

Most organizations and their IT leaders know that destroying a hard drive is the most secure way to dispose of data, but they often mistake damaging it for actual drive destruction. Damaging a hard drive with a hammer or by driving a nail into it is less time consuming than hard drive shredding or crushing, but it is also much less secure. For lower volume applications, hard drive crushing is the most secure and economical solution.

SEM’s Model 0101 automatic hard drive crusher is a hard drive crusher that has been evaluated by the NSA and meets NSA and DoD compliance guidelines for the physical damage of media. Note that all classified rotational hard drives MUST be degaussed prior to destruction. Not only does the Model 0101 punch a hole in the drive, it also bends the platter, rendering the drive inoperable. This handy device is compact and affordable, making it the ideal solution for smaller installments or where portability is of key importance.

Destroying the Hard Drive

The fastest and easiest way to destroy a hard drive is to shred it. Hard drive shredders quickly chew up hard drives to particle sizes ranging from 0.75″-1.5″ for rotational media to 0.375″ for solid state media. The SEM Model 0315 Combo Shredder is SEM’s best-selling hard drive shredder that destroys both HDDs and SSDs in one convenient device.

Considerations: The most compliant form of rotational hard drive data destruction that protects your organization from liability associated with data stored on magnetic media’s the NSA’s two-step process of degauss and destroy. This process is only NSA compliant when NSA listed devices are used. Consider the SEM Model EMP-1000HS degausser and the SEM Model 0101 hard drive crusher or SEM Model 0315 hard drive shredder. However, solid state media is not degaussable and stores significant amounts of data on tiny chips. Therefore, the most secure way to destroy solid state drives is by following the NSA directive that mandates a 2mm or less particle, such as is achieved with the SEM Model 2SSD.

On 13 December, 2018, the SEM team celebrated the holiday season. The sales and service teams flew into town for the week so the whole team could be together. The evening started with the company breaking into five teams to participate in escape room challenges at Live Action Escapes in Worcester, MA. We are happy to say that three of the five teams escaped their rooms. The other two tried their best but were stumped in the end. All in all, employees agreed that the experience was a lot of fun.

After the escape room challenge, the group make its way downstairs to The Citizen, where everyone enjoyed each others’ company over food and drinks. The evening was a fun and relaxing way to celebrate the holiday season with the team. Happy Holidays to you and yours!

On November 28, 2018, Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, participated in Operation Playhouse, a unique program offered through Habitat for Humanity Metrowest/Greater Worcester. Operation Playhouse enables local businesses and organizations to build and donate a custom playhouse to benefit the children of local veterans and military personnel. The one-day event culminated with the presentation of the firetruck-themed playhouse to United States Marine Corps Operation Iraqi Freedom combat veteran Richard Brown and his family.

SEM Executive Vice President Nick Cakounes presents the playhouse to USMC Veteran Richard Brown, who served in Operation Iraqi Freedom

The event started at 9am onsite at SEM corporate headquarters in Westboro. SEM employees volunteered to participate in various tasks including painting, constructing, roofing, and decorating the playhouse as well as building accessories. Several authentic firetruck items were donated by the Boston and Dunstable fire departments for use in the playhouse. The construction was overseen by David Hamilton, Community Program Manager for Habitat for Humanity. Veteran Richard Brown and his family, from Dunstable, MA, arrived at 3:30pm to receive the playhouse. Nicholas Cakounes, Executive Vice President of SEM, made the presentation.

“Veterans have a special place in our heart here at SEM,” said Mr. Cakounes. “We are filled with gratitude to those who have served our country and protect our freedom, so giving back in some small way through Operation Playhouse was an absolute honor.”

“This event was incredibly special to me personally,” added Korean War Veteran Leonard Rosen, who is SEM’s founder and Chairman of the Board. “Mr. Brown selflessly served his country, ensuring our rights and freedom. That is a debt we can never repay, so we were thrilled to be able to do something to bring joy to him and his family.”

SEM is a veteran-owned company whose primary client base is the United States Federal Government and its entities, including all branches of the United States Military.

Service Technicians Shawn Barnham, Don Donahue, and Dave Carroll built a custom ladder for the playhouse

Trends in data storage are changing at an exponential rate. The past few years alone have seen the progression of data storage from large servers with magnetic media to cloud-based infrastructure with increasingly dense solid state media. Along with every technological advancement in data storage has come the inexorable advancement of data theft. As a result, the scope and level of responsibility for protecting sensitive and Personally Identifiable Information (PII) has expanded to include not only the originators of data, but also all of the intermediaries involved in the processing, storage, and disposal of data. To address these critical issues and to protect organizations and citizens of the United States, the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) has developed NIST 800-88 “Guidelines for Media Sanitization” to promote information system security for all other applications outside of national security, including industry, government, academia, and healthcare. NIST 800-88 has become the predominant standard for the US Government, being referenced in all federal data privacy laws, and has now been overwhelmingly adopted by the private sector as well.

NIST 800-88 assumes that organizations have already identified the appropriate information categories, confidentiality impact levels, and location of the information at the earliest phase of the system life cycle as per NIST SP 800-64 “Security Considerations in the Systems Development Life Cycle.” Failing to initially identify security considerations as part of the data lifecycle opens up the strong potential that the organization will fail to appropriately maintain control of and protect some media that contains sensitive information.

Confidentiality and Media Types

Confidentiality is defined by the Title 44 US Code as “preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” FIPS 199 — NIST’s Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal Information and Information Systems — adds that “a loss of confidentiality is the unauthorized disclosure of information.” Bearing these definitions in mind, organizations must establish policies and procedures to safeguard data on used media. Common methodologies of illicit data recovery include basic acquisition of clumsily sanitized media either through third party sale or old-fashioned dumpster diving, or the more sophisticated laboratory reconstruction of inadequately sanitized media.

Currently, two types of basic media exist: hard copy and electronic. Commonly associated with paper printouts, hard copy actually encompasses a lot more. In fact, all of the materials used in the printing of all types of media, including printer and fax ribbons for paper and foils and ribbons for credit cards, are considered hard copy. Electronic media consists of any devices containing bits and bytes, including but not limited to rotational and solid state hard drives, RAM, boards, thumb drives, cell phones, tablets, office equipment including printer and fax drives, server devices, flash memory, and disks. It is expected that, considering the rate at which technology is progressing, additional media types will be developed. NIST 800-88 was developed in such a way that sanitization and disposal best practices pertain to the information housed on media rather than the media itself, allowing the guideline to more successfully stay current with future innovations.

Media Sanitization – Methodologies, Responsibilities, and Challenges

Three methodologies of media sanitization are defined by NIST 800-88 as follows:

Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).

Purge applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory

Destroy renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of

Clear

One of the most commonly used clearing methodologies for data sanitization on magnetic media has traditionally been overwriting using dedicated sanitize commands. Note that basic read/write overwriting is never recommended as it does not address all blocks on the media. Drawbacks to overwriting using sanitize commands are two-fold: 1) it is only effective for magnetic media, not solid state or flash, and 2) this methodology is wide open to operator error and theft, as well as undetected failure.

Purge

A common form of purging used for magnetic media sanitization is electromagnetic degaussing, whereby a dedicated degaussing device produces a build-up of electrical energy to create a magnetic field that removes the data from the device when discharged. Degaussing has long been an acceptable form of media sanitization for top secret government information when used in tandem with a hard drive destruction device such as a crusher or shredder. Degaussing alone poses the same concerns as overwriting in that operator error or deceit remains a possibility. In addition, the strength of the degausser is critical when eliminating sensitive information from magnetic media. Typically, degaussers evaluated and listed by the National Security Agency (NSA) are considered the golden standard.

Destroy

While clearing and purging provide adequate media sanitization involving less sensitive data, destroying is the most effective and permanent solution for secure data applications. Organizations should take into account the classification of information and the medium on which it was recorded, as well as the risk to confidentiality. As the internet continues to expand and the switch from physical to digital document-keeping becomes the industry standard, more and more data holds PII information such as financials, health records, and other personal information such as that collected for databases or human resources. As a result, security-focused organizations are becoming more cognizant of the fact that comprehensive data sanitization — including destruction — must become a top priority.

Industry-tested and accepted methodologies of secure data destruction include crushing, shredding, and disintegration, but even these secure end-of-life solutions require thoughtful security considerations. For example, shredding rotational hard drives to a 19mm x random shred size provides exceptional security for sensitive information. However, a 19mm shred size would not even be an option for solid state media, which store vast amounts of data on very small chips. Instead, sensitive solid state media should be shredded to a maximum size of only 9.5mm x random, while best practices for the destruction of highly sensitive or secret information is to disintegrate the media to a nominal shred size of 2mm2. In addition, some destruction devices such as disintegrators are capable of destroying not only electronic media, but also hard copy media such as printer ribbons and employee ID cards, providing a cost-effective sanitization method for all of an organization’s media.

Responsibilities and Verification

While NIST 800-88 has become the industry standard for secure data sanitization, the guidelines do not provide definitive policies for organizations. Rather, NIST 800-88 leaves the onus of appropriate data sanitization to organizations’ responsible parties including chief information officers, information security officers, system security managers, as well as engineers and system architects who are involved in the acquisition, installation, and disposal of storage media. NIST 800-88 provides a decision flow that asks key stakeholders questions regarding security categorization, media chain of custody including internal and external considerations, and potential for reuse.

Regardless of the sanitization method chosen, verification is considered an essential step in the process of maintaining confidentiality. It should be noted that verification applies not only to equipment and sanitization results, but also to personnel competencies. Sanitization equipment verification includes testing and certification of the equipment, such as NSA evaluation and listing, as well as strict adherence to scheduled maintenance. Organizations should fully train personnel responsible for sanitization processes and continue to train with personnel turnover. Lastly, the sanitization result itself must be verified through third party testing if the media is going to be reused. When media is destroyed, no such verification is necessary, as the pulverized material itself is verification enough. Because third party testing can be impractical, time consuming, and costly, many organizations choose to destroy media to ensure full sanitization of data and in doing so, to greatly mitigate risk.

Conclusion

NIST 800-88 was developed in an effort to protect the privacy and interests of organizations and individuals in the United States. Adopted by nearly all federal and private organizations, NIST 800-88 provides an outline of appropriate procedures for secure data sanitization that both protects PII and confidential information while reducing organizational liability. Determining proper policies is realized by fully understanding the guidelines, following the sanitization and disposition decision flow, implementing data sanitization best practices, and engaging in ongoing training and scheduled maintenance. Because NIST 800-88 guidelines do not provide a definitive one-size-fits-all solution and are admittedly extensive, working with a knowledgeable data sanitization partner is key to a successful sanitization policy.

As the world marches inexorably towards a completely digital future, there is an ever-increasing demand for cloud-based data storage. To accommodate this digital sprawl, expansive data centers are being built at a rapid rate, with their servers continuously writing and overwriting data onto increasingly dense hard drives, with absolutely no downtime. As a result, data centers are constantly removing and replacing hard drives as they fail. The big question: what happens to the old drives?

The answer is not a simple one. Several methodologies are utilized for end-of-life data disposal, many of which are determined by security compliance requirements — such as NSA, NIST, HIPAA, and more recently GDPR— as well as health, safety, and environmental standards. In addition, volume of e-waste and drive type also come into play when determining the best solution for IT asset disposition, or ITAD. Regardless of the methodology employed, the commonality of secure ITAD is the critical importance of complete data sanitization.

News stories on data breaches, cybersecurity threats, and compromised personal information have become a daily occurrence, and both rotational hard disk drives (HDDs) and solid state drives (SSDs) store vast amounts of data on small surfaces. Even when these devices are cracked, scratched, or broken, data is still retrievable from remaining fragments — as long as the remaining pieces are large enough. Drilling into a platter-based hard drive or snapping a solid state drive into several pieces is largely ineffective at preventing the possibility of data retrieval. Likewise, erasure, overwriting, and/or reuse of hard drives is a completely inadequate method of end-of-life data disposal. Erasure and overwriting frequently miss small blocks of data on the drive, making reuse an absolute security disaster. Even small amounts of personal or sensitive data left on a drive can result in catastrophe if the device is compromised. Any company truly concerned about secure ITAD understands that total destruction of the drive is the only acceptable option.

HDD and SSD destruction is accomplished through crushing, shredding, or disintegration of the drive, and the ultimate solution is largely dependent upon drive type, volume, and security requirements. In addition, convenience, operator health and safety, space limitations, user interface, noise concerns, and budget also have an impact. Choosing the right solution isn’t as simple as picking a shredder from a catalog, and instead requires a comprehensive situational consultation and assessment. Because most manufacturers of data destruction devices don’t offer consultative services, many data centers, hospitals, educational, and financial institutions find themselves frustrated with the process and instead turn to outside vendors to manage their data destruction – a decision that invites the potential for serious consequences.

Third party data destruction services are available as either off-site or on-site. Off-site services pick up discarded drives at the client’s location and transport them to a data destruction center. The inherent risk with off-site data destruction is three-fold:

Allowing drives with live data to leave the premises increases liability.

Some less-than-savory off-site destruction companies have been known to employ questionable business practices. For example, one company caught their disposal vendor trying to outsource destruction to a third party, and then caught a different vendor selling off old devices rather than destroying them, even though their contract explicitly said not to do so.

The extended chain of custody with off-site destruction exacerbates risk.

Third party on-site data destruction is a better option, but still carries with it some uncertainty. Third-party destruction services only provide the most commonly utilized destruction devices; therefore, unique devices and more stringent regulatory requirements present challenges to many third-party providers. In addition, drives still physically leave the premises and are in the hands of people not in the drive owner’s employ. Unfortunately, the introduction of each and every outside element adds a layer of risk that exponentially increases liability.

Clearly, the safest, most secure methodology for sensitive end-of-life asset disposal is in-house, on-site hard drive destruction. Fortunately, solutions exist that readily meet the strictest regulatory, health, safety, and environmental requirements, as well as accommodate today’s more rugged enterprise drives and ever-increasing drive volume. Shredders and disintegrators are available with different final particle shred sizes, horsepower, throughput, and even noise level, and degaussing and crushing solutions are available that meet even the NSA’s stringent two-step requirement for secure HDD disposal. The most demanding organizations will even find the availability of comprehensive in-house documentation options that provide a fully audit-proof destruction paper trail for meticulous record-keeping that mitigates liability.

One question remains: what is the best in-house data destruction setup? The reality is that there is no easy answer. Determining the most efficient and effective solution can pose a challenge without proper guidance, and most data destruction solution providers have limited depth of expertise. After all, the demand for large-scale secure data destruction is relatively new, as data centers didn’t even exist until the early 1990s. Having been in the secure information destruction business since 1967, SEM provides a unique approach to end-of-life ITAD by working as a trusted partner with our clients, who benefit from our extensive industry knowledge and decades of experience with top secret government clients and their demanding destruction requirements. The good news is that once the most cost-effective and secure in-house data destruction solution has been determined, security-focused organizations enjoy the ultimate in data protection, efficiency, and peace of mind.

With GDPR just around the corner, data security has been enjoying some much-needed time in the limelight. Never before has there been such a hyper-focus on the protection of sensitive data, particularly confidential and personally identifiable information (PII) such as healthcare records, personal data, financial information, and legal records. While data privacy conversations have more traditionally revolved around identify theft issues, the new GDPR regulation prioritizes the fiduciary responsibility of all sensitive and personal information.

Savvy organizations began planning and implementing their GDPR compliance programs months ago. Because of the numerous ways in which GDPR mandates data privacy across all storage media and within all facets of an organization, a comprehensive compliance program requires a well-researched, detailed approach with multi-departmental buy-in and execution.

For example, a healthcare provider possessing sensitive patient data in the form of medical records is obvious. What would not be so obvious would be the numerous other places where a patient’s PII may reside. The scheduling department keeps PII such as address and birthdate, the billing department has financial and insurance information, while the marketing department may possess email and browsing data for patient communications. And let’s not forget the backup servers. Personal data is literally everywhere.

Safeguarding sensitive data throughout an organization is critical, and many organizations are well aware of the need for firewalls, passwords, physical security measures, encryption, and employee training. What may be more of a need and challenge for some organizations is GDPR’s Article 17 Right to Erasure, also known as the “right to be forgotten.” While it is not an absolute, the basic premise of Article 17 is that an individual’s request to have his data removed must be honored within 30 days. In some instances, the request is not realistic. For example, banks must retain records for a minimum of seven years, so deleting the data would be in direct conflict to an existing legal mandate. However, Article 17 states that individuals have the right to have their personal data erased without undue delayif the data is no longer necessary for the purpose for which it was originally processed or collected, and this applies in a large number of cases with consumer transactions.

Consumer transactions typically include the storage of personal information such as address, phone, and payment information. While large organizations may have their own servers and storage solutions and are therefore more easily able to purge a consumer’s data from their system, the thousands of smaller organizations typically rely on outside vendors and cloud storage providers to manage their data. Data stored in the cloud is actually housed in data centers, where data is duplicated across multiple drives in an effort to create redundancies that help to mitigate data loss when drives fail — and drives DO fail on a very regular basis. After all, these drives are running 24 hours a day, seven days a week, year-round, so their life expectancy is understandably rather short. When a drive fails, the data it contains is still for the most part intact. Therefore, a comprehensive data disposition program should always include drive destruction so that personal data is not compromised at end-of-life. But end-of-life is only part of the problem. Smaller organizations and others who outsource their data storage must confirm with their providers that their data removal policy is GDPR compliant and must include policies and procedures for the Right to Erasure in their GDPR programs.

GDPR is a broad and encompassing regulation that is actually long overdue. While implementing a GDPR program is proving to be more challenging than organizations may have originally thought, particularly with regard to Article 17 and the Right to Erasure, the safeguarding of data and the diligent focus on data privacy have been positive results of GDPR. In a time where data breaches and identity theft are increasing exponentially, the implementation of a means by which to protect our privacy and security is most welcome.

As everyone in the industry knows, cybersecurity is a hot commodity these days. According to a definition by Techopedia, cybersecurity refers to preventative methods used to protect information from being stolen, compromised, or attacked. There are any number of ways to protect networks and data storage facilities from cyberattacks, and these methodologies are constantly evolving. Just as the flu virus mutates in reaction to vaccines, so do cybercriminals modify their nefarious behaviors in response to cybersecurity enhancements. Therefore, cybersecurity must constantly evolve, becoming more sophisticated and invasive. However, an often-overlooked area of cybersecurity leaves organizations susceptible to data breaches: hardware end-of-life.

As cloud storage continues to expand at an exponential rate, data centers are popping up all over the globe, and these gargantuan facilities are expected to safeguard the vast amount of data they store. It is now commonplace for data storage facilities to employ a Chief Security Officer (CSO) or a Chief Information Security Officer (CISO) in an effort to stay ahead of hackers and criminals. CSOs and CISOs ensure that data centers are secure and protected by implementing sophisticated products and services including password protection, anti-virus/anti-malware software, software patches, firewalls, two-factor authentication, and encryption methods, all of which come at an extremely high economic cost. According to the 2017 Official Annual Cybercrime Report sponsored by Herjavec Group, it is predicted that global spending on cybersecurity products and services will exceed $1 trillion over the five-year period of 2017 to 2021. Clearly, organizations understand the criticality of a comprehensive data security plan. So why is hardware end-of-life, which is relatively inexpensive in comparison to other cybersecurity spending, not part of this plan?

The answer is simple: a devastating breach has not yet occurred through drive recovery. But it’s only a matter of time.

Airmen from the 341st Communications Squadron at Malmstrom Air Force Base replace worn computer parts, destroy used hard drives, and check system functions as part of their daily operations. The US Air Force utilizes SEM IT destroyers. Photo courtesy Malmstrom Air Force Base.

While it is well understood that recovering files from failed and erased hard drives is relatively simple, much of the evidence in hard drive recovery is anecdotal. Students from various higher learning institutions including MIT and University of Vancouver have conducted studies that found drives sold on eBay to contain sensitive data. Criminals in Africa are well known to salvage old drives from landfills and mine the data for identity theft. Even NAID has conducted a study that found sensitive information on eBay drives. Even more alarming is Idaho Power Company learning that over one third of the drives they had contracted to be destroyed and recycled actually ended up on eBay – along with the sensitive, confidential company and employee data they contained. And there are myriad similar studies and evidence of data recovery from failed or erased drives.

So where is the public outrage and demand for more secure drive disposal? The reality is that there has not yet been a truly significant breach as a result of hardware end-of-life recovery. The NSA has long understood that hardware end-of-life leaves sensitive information vulnerable, and they have strict regulations in place for dealing with information disposal, from paper to optical media to hard drives. But many organizations seem to think that erasure, overwriting, or a quick drill to the drive is “good enough” — dangerous thinking that could not be more erroneous.

Truly security-minded organizations understand that the only way to ensure data security and privacy at hardware end-of-life is on-site drive destruction. And while some forward-thinking CSOs and CISOs have already implemented such measures, most have not. It is only a matter of time before a major (read: expensive) breach occurs as a result of end-of-life drive recovery, at which time the masses will demand an explanation as to why drive destruction had not been addressed in the first place. To which I will say, “I told you so.”

Data security is a hot topic these days, and for good reason. In 2017 alone, 1,579 data breaches occurred in the United States with an average cost of $7.35 million per breach. According to the 2017 Data Breach Year-End Review released by the Identity Theft Resource Center (ITRC) and CyberScout, the 2017 breaches represent an unprecedented 44.7 percent increase over the record breaking number of breaches in 2016, and the number is only expected to grow. In fact, it is anticipated that the global cost of cybercrime will exceed $2 trillion by 2019, which is three times the 2015 estimate of $500 billion.

The top five categories of organizations affected by data breaches include general business, medical/healthcare, banking/credit/financial, education, and government/military, in that order. These categories certainly make sense since they are the organizations that house the most sensitive, and therefore illicitly valuable, data. It should come as no surprise that of these organizations, government/military rounds out the bottom with less than five percent of total breaches. After all, the federal government understands the need for secrecy, and has set the bar for data security and privacy. Even commercial organizations are now trying to implement best practices originally dictated and instituted by government agencies, including the Department of Defense (DoD), the National Security Agency (NSA), Homeland Security, and the Department of Securities and Exchange.

Data breaches affect the privacy and security of individuals, businesses, and governments while costing the breached organization extensively. Costs include everything from covering credit monitoring for affected individuals to settling lawsuits to lost business and reputation. Cost per record of a U.S. data breach is an astounding $245, while the average number of exposed records is over 28,000. Add to that the fact that, according to Soha Systems Survey on Third Party Risk Management, 63 percent of all data breaches are linked to third parties such as vendors, contractors, or suppliers, while only two percent of IT professionals consider third party security a top concern. Clearly, the criticality of data security throughout its lifecycle, including end-of-life which is typically either controlled by a third party IT asset disposition company or ignored altogether, cannot be overstated. The grim reality is that businesses are fully responsible for the data that they collect and store, and a breach resulting from third-party culpability does not deflect liability.

Agbogbloshie, Ghana – Many young men are developing cancer in their 20s as a result of the toxicity of the environment from discarded electronics

It is easy to illustrate the severity of data insecurity resulting from third parties. Ghana, well known to be one of the top sources of cybercrime globally, is home to Agbogbloshie, a digital graveyard in the slums on the bank of the exceedingly polluted Korle Lagoon. This area, known as Sodom and Gomorrah by outsiders, is one of many computer and electronics landfills around the globe. Not only is this area an environmental disaster due to the antimony, arsenic, lead, mercury, and other toxic metals leaching into the water and soil from the electronic devices, it is also a hotbed of sensitive data waiting to be exposed. The discarded computers and electronic devices found in Agbogbloshie come from developed nations around the globe including the United States. Originally pitched to the locals as a means to help with the digital divide, these electronic “donations” actually contain less than 50 percent working computers with the rest being simply electronic trash. The residents have learned to salvage the devices or their parts to turn a small profit, but the real threat comes from the organized crime in the area that scours the drives for personal or sensitive information to use in scams or blackmail.

Used hard drives being sold on Lamington Road in Mumbai, India

As part of an investigation into this digital dumping ground, journalism students from the University of Vancouver, British Columbia purchased seven hard drives at a cost of $35 from an Agbogbloshie e-waste dealer. What they found was shocking: credit card numbers, social security numbers, bank statements, as well as personal information and photos. They also retrieved a sensitive $22 million dollar U.S. defense contract from U.S. military contractor Northrop Grumman’s hard drive, which also contained sensitive contracts with NASA, the Transportation Security Administration (TSA), and Homeland Security. And all of this came from just seven hard drives.

In 2003, two Massachusetts Institute of Technology (MIT) graduate students published a study regarding their purchase of 158 hard drives from places such as eBay and small salvage companies. Of these, 49 contained sensitive information including PII, corporate financials, medical data, and over 5,000 credit card numbers. One of the students, Simson Garfinkel, is now the US Census Bureau’s Senior Computer Scientist for Confidentiality and Data Access and the Chair of the Bureau’s Disclosure Review Board. Prior to that, he was a computer scientist at the National Institute of Standards and Technology (NIST).

In yet another 2003 study, Tom Spring from PC World Magazine acquired ten used hard drives in the Boston, MA area from thrift stores and salvage yards. Nine of these ten drives contained sensitive data including social security numbers, credit card numbers, and banking statements, as well as tax, medical, and legal records. Using the information found on the drives, Spring contacted the original owners of the drives, some of whom had contracted electronics disposal or recycling companies to erase their hard drives.

In 2006, Idaho Power Company learned that 84 of the 230 hard drives they had contracted salvage vendor Grant Korth to sanitize and recycle had actually been sold to third parties on eBay. These drives contained sensitive information including proprietary company information, confidential correspondence, and employee data including social security numbers.

In 2009, Kessler International, a New York based computer forensic firm, purchased 100 drives from eBay over a period of six months. 40 of these drives were found to contain sensitive, confidential, and personally identifiable information as well as corporate financials, personal photos and emails, and even one company’s secret French fry recipe.

In 2014, the National Association for Information Destruction ANZ (NAID-ANZ) published a study regarding their purchase of 52 used hard drives from eBay and other third parties. The recovered drives came from law firms, accountants, medical facilities, educational institutions, and numerous individuals. Data recovered included medical records, social security numbers, tax and financial information, sensitive court case documents, personal photos and videos, bank statements, confidential client information, disability insurance applications including highly sensitive personal financial and medical information, profit and loss statements, employee HR files, company invoices, and spreadsheets including name, address, phone number, salary, DOB, and occupation. Of the drives with recoverable information, over 90 percent of them had deleted or formatted partitions, a clear indicator that the owner had made an attempt to sanitize the data prior to disposal.

We could go on and on.

When disposing of end-of-life data, many companies turn to data disposal or recycling vendors and assume that their drives — and the data they contain — are being handled responsibly and safely. The reality is far different. While there are certainly many reputable data sanitization companies, it is just too risky to entrust sensitive information to any third party, simply because of the unknown. In addition to sloppy or greedy third party IT asset disposition companies, there are a growing number of sham recyclers in operation – companies that offer to pick up and recycle PCs for free, then actually sell them to cyber criminals specifically so they can mine the data they contain for illicit activity.

Hard drive being destroyed in a SEM combo shredder

The only truly secure method of IT asset disposition is drive destruction. While it is tempting to make a few dollars per drive by sending to a recycler or attempting to wipe and resell, the potential cost of a data breach far outweighs any financial gain from reselling. The National Security Agency has long known this truth and requires rotational platter based hard drives to be both degaussed (erased) AND physically destroyed prior to disposal. Not only does drive destruction through crushing, shredding, or disintegration ensure data privacy and security, it also is environmentally responsible. Shredded hard drive scraps are more easily sorted for metals recycling, leaving a smaller quantity of true waste and less likely to end up in Agbogbloshie.

Definition of Cloud Security from the Cloud Security Alliance (CSA):Cloud security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

Recently, there has been a hyper focus on cloud security — and with good reason. According to a report by McAfee titled “Building Trust in a Cloudy Sky: The State of Cloud Adoption and Security,”cloud services are now a regular component of IT operations, utilized by more than 90% of organizations globally. In fact, 80% of all IT budgets are committed to cloud apps and solutions. Service companies have the highest adoption of public cloud platforms with engineering and government having the highest adoption of private clouds. Amazingly enough, this surge in cloud adoption is not equally met with security and trust with only 23% of organizations today trusting public clouds to keep their data secure. And yet, 62% of organizations reported storing personal customer information in public clouds.

These statistics indicate that cloud security is lagging far behind cloud storage and adoption — similar to cell phone batteries. Cell phone technology continues to advance at an exponential rate while cell phone battery technology advancements are sluggish at best. As a result, cell phone battery life continues to be a major consumer issue regardless of the technological advancements made by cell phone manufacturers. What good is a beautiful, high resolution screen with lightning fast processor if the phone can’t handle the battery load? Likewise, cloud security threats have escalated alongside cloud data expansion due in large part to the sheer number of records now being stored. For example, the number of data breaches from 2014 to 2015 actually decreased, while the number of compromised records containing sensitive information more than doubled from 67 million to 159 million in the same time period. The decreased number of data breaches is indicative of the consolidation of cloud data storage providers, and yet the large increase in compromised records show that one data breach affects far more records today than it did just five years ago.

As a result of the serious challenges presented by cloud data security, numerous methodologies have been recommended in an effort to combat the reputation degradation and astronomical cost associated with compromised data. Some of the more frequently utilized processes include user authentication, encryption of data both in transition and at rest, ongoing vulnerability testing, role-based access control (RBAC), intrusion detection and prevention technology, and staff training. In addition, the establishment and enforcement of cloud security policies is critical to the success of any data protection program. In researching cloud security, any number of articles and guides can be found that address the aforementioned strategies. An incredible amount of focus is placed on encryption, end point security, user controls, and conducting security audits. All of these strategies focus on protecting data from digital threats such as hackers and bots, which is of huge importance. However, a critical piece of security control is missing from most data security plans – an end-of-life policy.

Cloud security providers who actually define an end-of-life strategy are rare, and a comprehensive program is even rarer still. Many providers erroneously think that erasing or overwriting a disk is sufficient, or more unsound thinking that a failed drive is precisely that – failed, and non-recoverable. Unfortunately, nothing could be further from the truth. Drives that were “erased” have shown up on eBay with sensitive information and overwritten and failed drives invariably contain original data that is fairly easy to recover. Criminals and thieves tend to be one step ahead of security and law enforcement initiatives, and cyber criminals are no exception.

Degaussing followed by crushing is one methodology for sanitizing hard drives that has been approved by the NSA.

Fortunately, many compliance regulations do address data end-of-life, which is why any cloud security provider should adhere to an appropriate regulation. Whether HIPAA, FACTA, FISMA, PCI DSS, or the most stringent NSA requirements, these compliance regulations are put in place to protect sensitive data and personally identifiable information from falling into the wrong hands whether through firewall vulnerabilities or data retrieval at drive end-of-life. In-house data destruction is the ideal way to securely manage drives at end-of-life; however, the method of data destruction varies greatly depending on volume, location, regulatory requirements, and operational procedures. There are many data destruction devices available from high security disintegrators capable of handling up to 500 drives per hour to enterprise specific, portable, and NSA listed solutions. There is simply no one-size-fits-all solution when it comes to data destruction; therefore, organizations looking to incorporate data destruction into their cloud security program should receive a thorough evaluation to determine which solutions best fits their need. One thing is for sure: no cloud security program is complete without addressing end-of-life destruction.

Many third-party providers offer drive end-of-life services, including degaussing and crushing as well as shredding. But while it is possible to outsource data disposal to third parties, it is NOT possible to outsource risk. Therefore, security-minded organizations must evolve towards a risk mitigation approach to data security that includes in-house data end-of-life destruction and disposal. By maintaining a proactive approach to security operations, companies and businesses can reduce the reputation degradation, frantic clean-up, and astronomical cost that typically comes with a reactive approach. Cloud security should not and cannot follow the path of the cell phone battery without disastrous consequences.